From 11e96c82d64722d9649b0c429ac21ce675dead65 Mon Sep 17 00:00:00 2001 From: "Ehsan.Asadi" Date: Tue, 30 Dec 2025 17:10:56 +0330 Subject: [PATCH] fix: optimize Helm chart for landing page - Remove duplicate application-credentials.yaml template - Fix Reflex environment: production -> prod, staging -> dev - Switch from Nginx to Traefik ingress controller - Optimize resources for simple landing page (1 replica, minimal CPU/RAM) - Disable autoscaling and PDB for landing page - Add registry credentials for hub.peikarband.ir - Clean up secrets configuration --- .../templates/application-credentials.yaml | 14 ------- helm/peikarband/values-production.yaml | 42 +++++++++---------- helm/peikarband/values-staging.yaml | 7 ++-- helm/peikarband/values.yaml | 14 +++---- 4 files changed, 32 insertions(+), 45 deletions(-) delete mode 100644 helm/peikarband/templates/application-credentials.yaml diff --git a/helm/peikarband/templates/application-credentials.yaml b/helm/peikarband/templates/application-credentials.yaml deleted file mode 100644 index d94aa35..0000000 --- a/helm/peikarband/templates/application-credentials.yaml +++ /dev/null @@ -1,14 +0,0 @@ -{{- if .Values.appSecrets.enabled }} -apiVersion: v1 -kind: Secret -metadata: - name: {{ .Values.appSecrets.name }} - labels: - {{- include "peikarband.labels" . | nindent 4 }} -type: Opaque -stringData: - db-username: {{ .Values.appSecrets.dbUsername | quote }} - db-password: {{ .Values.appSecrets.dbPassword | quote }} - redis-password: {{ .Values.appSecrets.redisPassword | quote }} -{{- end }} - diff --git a/helm/peikarband/values-production.yaml b/helm/peikarband/values-production.yaml index c377119..22bcdad 100644 --- a/helm/peikarband/values-production.yaml +++ b/helm/peikarband/values-production.yaml @@ -11,19 +11,19 @@ registrySecret: enabled: true name: hub-registry-secret server: hub.peikarband.ir - username: "admin" # Set via ArgoCD UI: Parameters → registrySecret.username - password: "5459ed7590d37656410fae38bdf59eb7ee33b68cd4c" # Set via ArgoCD UI: Parameters → registrySecret.password + username: "admin" + password: "5459ed7590d37656410fae38bdf59eb7ee33b68cd4c" imagePullSecrets: - name: hub-registry-secret # Auto-create application secrets (database, redis, etc) appSecrets: - enabled: true + enabled: false # Set to true if you need database/redis name: peikarband-prod-secrets - dbUsername: "REPLACE_ME" # Set via ArgoCD UI: Parameters → appSecrets.dbUsername - dbPassword: "REPLACE_ME" # Set via ArgoCD UI: Parameters → appSecrets.dbPassword - redisPassword: "REPLACE_ME" # Set via ArgoCD UI: Parameters → appSecrets.redisPassword + dbUsername: "" + dbPassword: "" + redisPassword: "" # Reflex configuration for production reflex: @@ -36,28 +36,28 @@ podAnnotations: resources: limits: - cpu: 500m - memory: 1Gi - requests: cpu: 200m memory: 256Mi + requests: + cpu: 50m + memory: 128Mi autoscaling: enabled: false - minReplicas: 3 - maxReplicas: 20 - targetCPUUtilizationPercentage: 60 - targetMemoryUtilizationPercentage: 70 + minReplicas: 1 + maxReplicas: 5 + targetCPUUtilizationPercentage: 70 + targetMemoryUtilizationPercentage: 80 ingress: enabled: true - className: "nginx" + className: "traefik" annotations: cert-manager.io/cluster-issuer: "letsencrypt-prod" - nginx.ingress.kubernetes.io/ssl-redirect: "true" - nginx.ingress.kubernetes.io/force-ssl-redirect: "true" - nginx.ingress.kubernetes.io/rate-limit: "100" - nginx.ingress.kubernetes.io/proxy-body-size: "10m" + traefik.ingress.kubernetes.io/router.entrypoints: "websecure" + traefik.ingress.kubernetes.io/router.tls: "true" + # Rate limiting and body size should be configured via Traefik Middleware + # Example: traefik.ingress.kubernetes.io/router.middlewares: default-ratelimit@kubernetescrd hosts: - host: peikarband.ir paths: @@ -99,11 +99,11 @@ configMap: data: APP_NAME: "peikarband" LOG_LEVEL: "warning" - ENVIRONMENT: "production" + ENVIRONMENT: "prod" podDisruptionBudget: - enabled: true - minAvailable: 2 + enabled: false + minAvailable: 1 networkPolicy: enabled: true diff --git a/helm/peikarband/values-staging.yaml b/helm/peikarband/values-staging.yaml index 6a4fe3c..4a47a88 100644 --- a/helm/peikarband/values-staging.yaml +++ b/helm/peikarband/values-staging.yaml @@ -22,10 +22,11 @@ autoscaling: ingress: enabled: true - className: "nginx" + className: "traefik" annotations: cert-manager.io/cluster-issuer: "letsencrypt-staging" - nginx.ingress.kubernetes.io/ssl-redirect: "true" + traefik.ingress.kubernetes.io/router.entrypoints: "websecure" + traefik.ingress.kubernetes.io/router.tls: "true" hosts: - host: staging.peikarband.ir paths: @@ -53,7 +54,7 @@ configMap: data: APP_NAME: "peikarband-staging" LOG_LEVEL: "debug" - ENVIRONMENT: "staging" + ENVIRONMENT: "dev" podDisruptionBudget: enabled: false diff --git a/helm/peikarband/values.yaml b/helm/peikarband/values.yaml index 49ae8e3..b62b4dc 100644 --- a/helm/peikarband/values.yaml +++ b/helm/peikarband/values.yaml @@ -15,8 +15,8 @@ registrySecret: enabled: false # Set to true in production values name: hub-registry-secret server: hub.peikarband.ir - username: "admin" # Set via ArgoCD values or --set - password: "5459ed7590d37656410fae38bdf59eb7ee33b68cd4c" # Set via ArgoCD values or --set + username: "" # MUST be set via ArgoCD values or --set (DO NOT commit passwords) + password: "" # MUST be set via ArgoCD values or --set (DO NOT commit passwords) # Application secrets (database, redis, etc) appSecrets: @@ -62,11 +62,11 @@ service: ingress: enabled: true - className: "nginx" + className: "traefik" annotations: cert-manager.io/cluster-issuer: "letsencrypt-prod" - nginx.ingress.kubernetes.io/ssl-redirect: "true" - nginx.ingress.kubernetes.io/force-ssl-redirect: "true" + traefik.ingress.kubernetes.io/router.entrypoints: "websecure" + traefik.ingress.kubernetes.io/router.tls: "true" hosts: - host: peikarband.ir paths: @@ -134,7 +134,7 @@ readinessProbe: env: - name: REFLEX_ENV - value: "production" + value: "prod" - name: PYTHONUNBUFFERED value: "1" @@ -148,7 +148,7 @@ configMap: data: APP_NAME: "peikarband" LOG_LEVEL: "info" - ENVIRONMENT: "production" + ENVIRONMENT: "prod" secretRef: name: "peikarband-secrets"